The Essential Guide to HITECH Act

The major security provisions of "HIPAA II"

ome call it HIPAA on Steroids. Others simply call it HIPAA II. Technically, it's the Health Information Technology for Economic and Clinical Health Act. But however you label it, the HITECH Act spells out tougher data security requirements for all health care organizations as well as their business associates.

Although the Health Insurance Portability and Accountability Act of 1996 led to the creation of federal healthcare information privacy and security rules, the penalties for violations were relatively mild, and the enforcement was nearly nonexistent. But that's all changing thanks to the HITECH Act. The Act was one of dozens of provisions tucked into the economic stimulus package, known as the American Recovery and Reinvestment Act, in February 2009. It's also known as Title XIII of ARRA.

Congress included the beefed-up security provisions in tandem with incentive funds from Medicare and Medicaid to help pay for adoption of electronic health records at hospitals and physician group practices. The intent was to help ensure that as more information is digitized it will remain secure.

Enforcement of perhaps the most significant security provision of HITECH, the security breach notification rule, is slated to kick in on Feb. 22, 2010. An Aug. 24, 2009, Interim Final Rule from the U.S. Department of Health and Human Services spells out security breach notification requirements in more detail.

Following is a summary of the major data security components of the HITECH Act:

Business associates

The HIPAA privacy and security rules, and penalties, now apply directly to business associates, such as banks, claims clearinghouses, billing firms, health information exchanges and software companies, as though they were healthcare organizations. Previously, the rules only applied to "covered entities," including such healthcare organizations as hospitals, physician group practices and health insurers. Now, the rules apply to any organization that has access to "protected health information."

Breach notification rule

The major provisions include:

60 days notice

Covered entities, as well as their business associates, must notify individuals within 60 days if protected health information is breached. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals.

Annual report

Covered entities must maintain a log of all data security breaches and annually submit it to HHS.

Who reports to whom?

Business associates experiencing a breach must notify the covered entity, which then must notify the individuals. Companies that sell personal health records, however, must comply with a similar breach notification rule from the Federal Trade Commission.

Defining "breach"

According to HITECH, the term "breach" means "the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where the unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information."

Snail mail requirement

A healthcare organization would have to send out a first-class letter to any patients who might have been affected by a breach. (Electronic mail can be used "provided the individual agrees to receive electronic notice and such agreement has not been withdrawn," according to the Interim Final Rule.) If 10 of those first-class letters are returned for a bad address, the hospital must then post notification of the breach on its home page and offer a toll-free breach information number for 90 days, the Interim Final Rule points out. Instead of the Web site posting, an organization could publish a notice of breach in the local news media.

Important exceptions

Notification of a breach is not required if the information was unintentionally disclosed to an authorized recipient and not further disclosed.

Breaches also do not have to be reported if the data involved is rendered unreadable via encryption. Data encryption, however, must be NIST Federal Information Processing 140-2 Standard validated, according to the Interim Final Rule that further spelled out breach notification requirements.

"Covered entities and business associates should keep encryption keys on a separate device from the data that they encrypt or decrypt," the Interim Final Rule states.

Harm threshold

In addition, the Interim Final Rule instituted a "harm threshold" that would dictate when an organization has to notify individuals of a breach. Under this provision, organizations much conduct a risk assessment "to determine if there is a significant risk of harm to the individual as a result of the impermissable use or disclosure." That means federal regulators are largely leaving it up to healthcare organizations to determine if they need to give notification. The provision has been criticized by many privacy advocates and hailed by some healthcare associations.

More audits

Although healthcare organizations can determine on their own whether a breach should be reported, HITECH provides funding for periodic audits by federal regulators of both healthcare organizations and their business associates to ensure they are, in fact, complying with all privacy and security rules.

Enforcement

The Office of Civil Rights within the U.S. Department of Health and Human Services has enforcement authority for the breach notification rule. State attorneys general can bring a civil action in federal court for violations of healthcare security and privacy rules. Victims can receive compensation from fines levied against individuals and organizations.

Tougher fines

Penalties now can be levied against individuals within a healthcare organization as well as the organization itself. Penalties for breaches of personal healthcare information or other HIPAA violations range up to $1.5 million per violation. This is separate from any criminal penalties that might apply.

Accountability

Individuals can request that healthcare organizations account for all disclosures of their protected health information from electronic health records systems. This includes information used for treatment, payment and operations. A covered entity may impose a fee for such accounting that's no greater than its cost. The effective date is dependent on when the EHR system was installed.

Copies of records

Individuals now have the right to receive an electronic copy of their personal health information that's stored in an electronic health record. Healthcare organizations can charge a fee that covers their labor costs for producing the copy.

"Minimum necessary" disclosures

The HITECH Act specifies that covered entities should limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function. The U.S. Department of Health and Human Services is expected to issue regulations this year governing the "minimum necessary" provisions.

Marketing restrictions

Under the HIPAA privacy rule, when healthcare organizations were paid by companies to send communications to patients about new products and services, they were considered part of the organization's operations, and, thus, were permissible. Under the HITECH Act, these are considered marketing activities and are subject to regulations that will be issued later this year. An exception is permitted if the communication is about a currently prescribed drug and the company's payment to the healthcare organization is "reasonable."